52dd16b74f674d2152c6c5be2819b6e68b3f7c21a26e5876fec4d246903480ea

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/01/2024, 15:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

52dd16b74f674d2152c6c5be2819b6e68b3f7c21a26e5876fec4d246903480ea.exe
Size

1.2MB
MD5

58a8d979ca8ee3515c36265935919e05
SHA1

dc6ee7d893ac67deb2cf07fd84d087a838fd6044
SHA256

52dd16b74f674d2152c6c5be2819b6e68b3f7c21a26e5876fec4d246903480ea
SHA512

da34e71b993ee8afa572c3fb4d9473c56214502ee0824ae0ed15418d8ecbec43d77252a2688b1f7c866c112e72fe173b62e3f32d0252cf504cbd216dc9a8c7b8
SSDEEP

24576:XRyezuoM0MJtdhWy6mv2WkTKzqVqoACHLklE/RL9dF717RQXr+7E:U1onW72WkT1VKCHLklE/RLF7M+

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2820	alg.exe
2896	aspnet_state.exe
2936	mscorsvw.exe
2624	mscorsvw.exe
2944	elevation_service.exe
2548	GROOVE.EXE
1760	maintenanceservice.exe
736	OSE.EXE
2760	OSPPSVC.EXE
2504	mscorsvw.exe
2256	mscorsvw.exe
2816	mscorsvw.exe
2956	mscorsvw.exe
2948	mscorsvw.exe
2028	mscorsvw.exe
1940	mscorsvw.exe
1360	mscorsvw.exe
768	mscorsvw.exe
300	mscorsvw.exe
684	mscorsvw.exe
2192	mscorsvw.exe
2140	mscorsvw.exe
2848	mscorsvw.exe
2108	mscorsvw.exe
1284	mscorsvw.exe
2792	mscorsvw.exe
1636	mscorsvw.exe
1436	mscorsvw.exe
1660	mscorsvw.exe
1116	mscorsvw.exe
1772	mscorsvw.exe
676	mscorsvw.exe
1104	mscorsvw.exe
988	mscorsvw.exe
1632	mscorsvw.exe
296	mscorsvw.exe
1548	mscorsvw.exe
2128	mscorsvw.exe
2208	mscorsvw.exe
2064	mscorsvw.exe
1552	mscorsvw.exe
1928	mscorsvw.exe
2908	mscorsvw.exe
2740	mscorsvw.exe
1492	mscorsvw.exe
1932	mscorsvw.exe
1728	mscorsvw.exe
1652	mscorsvw.exe
1524	mscorsvw.exe
1104	mscorsvw.exe
2208	mscorsvw.exe
756	mscorsvw.exe
2108	mscorsvw.exe
2132	mscorsvw.exe
2536	mscorsvw.exe
2348	mscorsvw.exe
2252	mscorsvw.exe
564	mscorsvw.exe
768	mscorsvw.exe
2104	mscorsvw.exe
2140	mscorsvw.exe
2428	mscorsvw.exe
2040	mscorsvw.exe

Loads dropped DLL 41 IoCs

pid	Process
464	Process not Found
2208	mscorsvw.exe
2208	mscorsvw.exe
1552	mscorsvw.exe
1552	mscorsvw.exe
2908	mscorsvw.exe
2908	mscorsvw.exe
1492	mscorsvw.exe
1492	mscorsvw.exe
1728	mscorsvw.exe
1728	mscorsvw.exe
1524	mscorsvw.exe
1524	mscorsvw.exe
2208	mscorsvw.exe
2208	mscorsvw.exe
2108	mscorsvw.exe
2108	mscorsvw.exe
2536	mscorsvw.exe
2536	mscorsvw.exe
2252	mscorsvw.exe
2252	mscorsvw.exe
768	mscorsvw.exe
768	mscorsvw.exe
2140	mscorsvw.exe
2140	mscorsvw.exe
2040	mscorsvw.exe
2040	mscorsvw.exe
2012	mscorsvw.exe
2012	mscorsvw.exe
2368	mscorsvw.exe
2368	mscorsvw.exe
2464	mscorsvw.exe
2464	mscorsvw.exe
2588	mscorsvw.exe
2588	mscorsvw.exe
2444	mscorsvw.exe
2444	mscorsvw.exe
1360	mscorsvw.exe
1360	mscorsvw.exe
1492	mscorsvw.exe
1492	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	52dd16b74f674d2152c6c5be2819b6e68b3f7c21a26e5876fec4d246903480ea.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\853ffc3593c0dc56.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP619.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDD6.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF1DE.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFF55.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2A0.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1342.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2404.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1516	52dd16b74f674d2152c6c5be2819b6e68b3f7c21a26e5876fec4d246903480ea.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeDebugPrivilege	2820	alg.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeDebugPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2624	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2504	2936	mscorsvw.exe	37
PID 2936 wrote to memory of 2504	2936	mscorsvw.exe	37
PID 2936 wrote to memory of 2504	2936	mscorsvw.exe	37
PID 2936 wrote to memory of 2504	2936	mscorsvw.exe	37
PID 2936 wrote to memory of 2256	2936	mscorsvw.exe	38
PID 2936 wrote to memory of 2256	2936	mscorsvw.exe	38
PID 2936 wrote to memory of 2256	2936	mscorsvw.exe	38
PID 2936 wrote to memory of 2256	2936	mscorsvw.exe	38
PID 2936 wrote to memory of 2816	2936	mscorsvw.exe	39
PID 2936 wrote to memory of 2816	2936	mscorsvw.exe	39
PID 2936 wrote to memory of 2816	2936	mscorsvw.exe	39
PID 2936 wrote to memory of 2816	2936	mscorsvw.exe	39
PID 2936 wrote to memory of 2956	2936	mscorsvw.exe	40
PID 2936 wrote to memory of 2956	2936	mscorsvw.exe	40
PID 2936 wrote to memory of 2956	2936	mscorsvw.exe	40
PID 2936 wrote to memory of 2956	2936	mscorsvw.exe	40
PID 2936 wrote to memory of 2948	2936	mscorsvw.exe	41
PID 2936 wrote to memory of 2948	2936	mscorsvw.exe	41
PID 2936 wrote to memory of 2948	2936	mscorsvw.exe	41
PID 2936 wrote to memory of 2948	2936	mscorsvw.exe	41
PID 2936 wrote to memory of 2028	2936	mscorsvw.exe	42
PID 2936 wrote to memory of 2028	2936	mscorsvw.exe	42
PID 2936 wrote to memory of 2028	2936	mscorsvw.exe	42
PID 2936 wrote to memory of 2028	2936	mscorsvw.exe	42
PID 2936 wrote to memory of 1940	2936	mscorsvw.exe	43
PID 2936 wrote to memory of 1940	2936	mscorsvw.exe	43
PID 2936 wrote to memory of 1940	2936	mscorsvw.exe	43
PID 2936 wrote to memory of 1940	2936	mscorsvw.exe	43
PID 2936 wrote to memory of 1360	2936	mscorsvw.exe	44
PID 2936 wrote to memory of 1360	2936	mscorsvw.exe	44
PID 2936 wrote to memory of 1360	2936	mscorsvw.exe	44
PID 2936 wrote to memory of 1360	2936	mscorsvw.exe	44
PID 2936 wrote to memory of 768	2936	mscorsvw.exe	45
PID 2936 wrote to memory of 768	2936	mscorsvw.exe	45
PID 2936 wrote to memory of 768	2936	mscorsvw.exe	45
PID 2936 wrote to memory of 768	2936	mscorsvw.exe	45
PID 2936 wrote to memory of 300	2936	mscorsvw.exe	46
PID 2936 wrote to memory of 300	2936	mscorsvw.exe	46
PID 2936 wrote to memory of 300	2936	mscorsvw.exe	46
PID 2936 wrote to memory of 300	2936	mscorsvw.exe	46
PID 2936 wrote to memory of 684	2936	mscorsvw.exe	47
PID 2936 wrote to memory of 684	2936	mscorsvw.exe	47
PID 2936 wrote to memory of 684	2936	mscorsvw.exe	47
PID 2936 wrote to memory of 684	2936	mscorsvw.exe	47
PID 2936 wrote to memory of 2192	2936	mscorsvw.exe	48
PID 2936 wrote to memory of 2192	2936	mscorsvw.exe	48
PID 2936 wrote to memory of 2192	2936	mscorsvw.exe	48
PID 2936 wrote to memory of 2192	2936	mscorsvw.exe	48
PID 2936 wrote to memory of 2140	2936	mscorsvw.exe	49
PID 2936 wrote to memory of 2140	2936	mscorsvw.exe	49
PID 2936 wrote to memory of 2140	2936	mscorsvw.exe	49
PID 2936 wrote to memory of 2140	2936	mscorsvw.exe	49
PID 2936 wrote to memory of 2848	2936	mscorsvw.exe	50
PID 2936 wrote to memory of 2848	2936	mscorsvw.exe	50
PID 2936 wrote to memory of 2848	2936	mscorsvw.exe	50
PID 2936 wrote to memory of 2848	2936	mscorsvw.exe	50
PID 2936 wrote to memory of 2108	2936	mscorsvw.exe	51
PID 2936 wrote to memory of 2108	2936	mscorsvw.exe	51
PID 2936 wrote to memory of 2108	2936	mscorsvw.exe	51
PID 2936 wrote to memory of 2108	2936	mscorsvw.exe	51
PID 2936 wrote to memory of 1284	2936	mscorsvw.exe	52
PID 2936 wrote to memory of 1284	2936	mscorsvw.exe	52
PID 2936 wrote to memory of 1284	2936	mscorsvw.exe	52
PID 2936 wrote to memory of 1284	2936	mscorsvw.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\52dd16b74f674d2152c6c5be2819b6e68b3f7c21a26e5876fec4d246903480ea.exe
"C:\Users\Admin\AppData\Local\Temp\52dd16b74f674d2152c6c5be2819b6e68b3f7c21a26e5876fec4d246903480ea.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 250 -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 240 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 23c -NGENProcess 258 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1d4 -NGENProcess 244 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1ec -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 23c -NGENProcess 26c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 270 -NGENProcess 260 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 244 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 274 -NGENProcess 270 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1ec -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 278 -NGENProcess 284 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 23c -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 268 -NGENProcess 244 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 28c -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 23c -NGENProcess 290 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 288 -NGENProcess 260 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 294 -NGENProcess 28c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 23c -NGENProcess 29c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 278 -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 28c -NGENProcess 2a4 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 29c -NGENProcess 2a8 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 210 -NGENProcess 268 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 2cc -NGENProcess 2a8 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2cc -NGENProcess 210 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 29c -NGENProcess 2d8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a8 -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2dc -NGENProcess 210 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 29c -NGENProcess 2e8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2e4 -NGENProcess 210 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2e4 -NGENProcess 29c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 2f0 -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f0 -NGENProcess 210 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e0 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2e8 -NGENProcess 2dc -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2d8 -NGENProcess 304 -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f0 -NGENProcess 2dc -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2fc -NGENProcess 30c -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2fc -NGENProcess 29c -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2e8 -NGENProcess 314 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 30c -NGENProcess 318 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 29c -NGENProcess 31c -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 29c -NGENProcess 304 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 310 -NGENProcess 324 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2fc -NGENProcess 304 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 31c -NGENProcess 304 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 330 -NGENProcess 32c -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 29c -NGENProcess 338 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2f0 -NGENProcess 32c -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 334 -NGENProcess 324 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 2e4 -NGENProcess 340 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 340 -NGENProcess 2f0 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 2f0 -NGENProcess 334 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 334 -NGENProcess 344 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 34c -NGENProcess 2e4 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 2f0 -NGENProcess 354 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 330 -NGENProcess 358 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 2e4 -NGENProcess 35c -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 35c -NGENProcess 304 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 354 -NGENProcess 364 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 34c -NGENProcess 304 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 368 -NGENProcess 344 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 35c -NGENProcess 370 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 304 -NGENProcess 374 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 378 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 370 -NGENProcess 37c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 374 -NGENProcess 380 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 368 -NGENProcess 37c -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:1832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 384 -NGENProcess 370 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 380 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 368 -NGENProcess 390 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 37c -NGENProcess 394 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:1120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 380 -NGENProcess 398 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 390 -NGENProcess 39c -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 370 -NGENProcess 398 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 368 -NGENProcess 380 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 390 -NGENProcess 3a0 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 118 -InterruptEvent 11c -NGENProcess 3a4 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 11c -NGENProcess 118 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 344 -NGENProcess 3ac -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 394 -NGENProcess 118 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 398 -NGENProcess 3b4 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 11c -NGENProcess 3b8 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:1196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 118 -NGENProcess 3bc -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 118 -NGENProcess 3a8 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 118 -InterruptEvent 3ac -NGENProcess 3bc -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3c4 -NGENProcess 3b4 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3b4 -NGENProcess 380 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 21c -NGENProcess 240 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 1f4 -NGENProcess 3c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c0 -NGENProcess 1f4 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 380 -NGENProcess 21c -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c4 -NGENProcess 3ac -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 11c -NGENProcess 3c4 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 290 -NGENProcess 250 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 3a4 -NGENProcess 118 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3d4 -NGENProcess 3d0 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3d4 -NGENProcess 3a4 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 1f4 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 3e0 -NGENProcess 21c -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 3d4 -NGENProcess 3e4 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:1492

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:988

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2944

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2548

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1760

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:736

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.3MB

MD5
ea42557a6d64f75119d3aafde1b2d62f

SHA1
ceeffaf850b63719e298e6136fa7612de5ebeef2

SHA256
5a1ec9df439c88e12f45f097bfffa09b0898d85204b523a7b3e9441effbdfa82

SHA512
137b156e75de755d26c989adb5dd7e5a2ba37c15970ae251259eeff56843d1af6e4958a803dbf33f06a61a49bc7f53ead895daa554a7f78649df7fb8b80d13c0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.4MB

MD5
aa76e8cdf60a3c3a4f5d3b311478b230

SHA1
a088319b9e1164e9b65542b6d5ec0b4c22f39e86

SHA256
951d1e2c9e9a5bda3dff64f028148302c5c5cb44e90276129b119b51b18cd041

SHA512
1e2ae06b67b34e1985cb2dbbf319686f091e113428e43549997f14aeda6d4d62e1d8ef278c0782477279833ba52b372d2d11c64e5f2741f56fec40ff1516c31f

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.2MB

MD5
338c5e235d0ccacc27f8eea93f529bbe

SHA1
0fda21f4fae7d10d6907f206e261acb641fc1b6f

SHA256
2d37172fd997241078c9ea8ad6a4cda6243db3f21ac4baf4c45bb710a726837e

SHA512
3df7f99ee569b7bdf886b0d311d5f9e00a5f6ab8ab04b65d11c510712721213719f7ce72e06e2fae3000cbaed9115cea3bc0c7ff23a21c35e59de3dbd60b2cb0

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
874KB

MD5
a0f78442ba0425a69bda211d4d3dd06c

SHA1
562fea21a95183922e1a4fd0ed134f95767e3260

SHA256
88cc9518c1e4ab53f97b1c2990b0820ea1b52e8b11b276be0db67f584aa4a9d6

SHA512
01f36910fad30e99fb04bc4bcd42afaefabd21a9d88100d70b914f83f33502503e69b3d758e5330613535c66d1bd64a8661d6d495c52903da7da8044a1997581

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
107KB

MD5
52cde50898dd293e909930571a5c7207

SHA1
0a26e33f0733515b31a3ce750e703108f7e764f2

SHA256
4a8ea40b325f435d5bdc78f5ea9af8c030f32ce5ec0b88fe059d866f565ece48

SHA512
f45f6f1faee5d348da377d38314e9f66cedada13c6cc9306b2164fc794299a85956bab375b79bcd3e6a0f53fcedb39bf84151a65e134b1860341452236d71787

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
101KB

MD5
fb742d366b0c4b23ac45976e87dece6b

SHA1
37622f716255aacca0a712f9ff1843eec96e15a0

SHA256
980be512bc6d712de2a0f0617977e6454eed4b770ba4066dc24df33f159bc7fd

SHA512
e1d17afb6568ed128f9b9fb6f0ef63e0ac7438a70386e5f9d7e05f464b13fc47e9b03ddfa196f37f1948f3019d3d3c74e5df59afd064ee74a85fde625b4ddfd0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
77e042e614d10876e65b1df0776a007e

SHA1
984a1d0e9fcbb3a5c0a25a8e9b0c8e26cc220fd6

SHA256
bb72cf8a92962e9a3188d017dcf7563be2f4c4741fb2b25b731b2c444d972ae7

SHA512
c6a605ec5b09d05f4f030354effbcf8f8cdb66b088f05fd3ad7daa6034452b6d564dd99656731824fc897cc074ca3715493954d1907239d3b5458408394eb4be

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
542KB

MD5
70a691c86d1977cbd3417ddbd073a8f8

SHA1
0ac1a357ad87d6f609d6837b3e5aa7c71cd52ef7

SHA256
7c4e50b74c44498ad143593e267917a6fff5b2e494cda037e1c7889ac3e86bf1

SHA512
a5840b8a7984ff67b34344ca4c0c9dd0b2a4e95e08b6d17a72494247ad482b61fe3038f9152a86f57f0c5a12216cb1c1f1410107da1cd19cbfd7781fb8e90b24

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
dac49716e0733f57b890fdfcaa7fc7a5

SHA1
7a54558bda142bdc65ae5c1a4ea07be13307804e

SHA256
e6bad6e97e593d412d20b0b53ddae27332226e42dbbbde13b730cea4820c633b

SHA512
626f76d738c50673541f742e5b1b76f69c2603ee691dceff16a2f12a031b2ce29423c3e1c1484d0adbdcf199e45eb334ad3b5d0f0fb216045811754bb73ba27e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.1MB

MD5
821b2fa01e73af2b1c32d9a74a425480

SHA1
ebe54fed47a65e03544bb6ca8e246fcb72567433

SHA256
bfa25fa078f6ba0e06b64565bc6af20a869a7d4ef3dd901a26720977fdec15ee

SHA512
844ed6938c04ab3895b7f1ee8c60972733d9b2720b76de10125b15ceb3fd6a5e1df93498da8d51f3bfbcb40197ec42d5710a61d59a185898b1c1bde5782ebf90

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
79218a0e5c5602b5914c4a346c4e0ad3

SHA1
ebc2a7102beb49aef43cf66f8d5a643fe1eef8fc

SHA256
1543e4f715b51203b9a034aa18f458e0eea499f04172785a35415b2e4c17eae3

SHA512
7702b243ad635ff792126a6752e67abb802bff6bb86e45aaa76ff79ce5f5f61d83c7c72d1bc64df3519778450e6bd5295f6aae01b005fbfcf26a44348f096a04

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
76325f2ef39a448b1304d2cc2ab3ff59

SHA1
6978bf48fb83d158b8ce38de19aaec1aa5f4c711

SHA256
4e8d6742578d419cc3ba205ef2632933aac6ff71c62a78c8e5a769100c3f5444

SHA512
f8fc8f0d131eef59acd472013e4d141e4501a1cae7aa49b75a34caf1c4eb0fb4ed53a8f372460eab3ecf589c0ca9ccc31d2ac81f98af28da2e0e46699133f36c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
732KB

MD5
8d43920c0354cefc4749d4b9c69f6059

SHA1
c60c15b8b99b49f31d90284e3e447fe8ea897ac6

SHA256
138370e7c71e8bec299a5c5e46b6e908d1930227e623b363d7a269b091c74271

SHA512
2b69a489e8c14fd443352cdb3c5fb8ce2f64ddabe99837bd839e7006c6ef563eb1c5b352a59a79b5fa3e461e69167897ae34d8cd18e6f606ea6aea81e132fff7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
1.3MB

MD5
d7a0ccab2ec46fb2f5f07317f540a1e1

SHA1
16db023a5b5c7e47d204b86e0ff7cea77a91baf0

SHA256
c0f0bfdd2a9ee743ab9caf69f8e7cf543de77469d3fe1a4d62645997007398a8

SHA512
c7a7c295205bc318d6cdc25e51823b025b7e8807bbf0a09908d35fce67e6f1cc253e78bbfd686f634ea00a63b6e093a8362328839d6c3c3494cf6dfbf77ac7e3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
751KB

MD5
00771147be2b1da783ba7f247cec788c

SHA1
60048ec0713279e202bb0af37a711c672c771e58

SHA256
9a92614d6ddbf2c26a2b2d432b070ec56a786996b6ce4e233807a874a8468684

SHA512
24d1475f76d29f326ecbd2478e8e6071209d08c9c9d449cb1f225db47fbdb6bd2a7b0f951d31011572d0846220a4c4da1940f49f89dd8a8a87c03b9cfce4c42a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
1.2MB

MD5
eccab955ba347367969c2a87288a7d2a

SHA1
13ff8c2b251adaf378035046ce3d3a4a40f97312

SHA256
90319536dad6f5cf186aa2732a1d06961ada9a273c49f9b2f5aa5c7d63c682a0

SHA512
6ec2ac1bcc1e6ea544e247c46bde0ce4fd90e8c5059164c892d4d8f0a9f1e4cb6f11811c1358cb3471f0f5c5c0a9e59c55f22006450f0a2e270878e00332e3b3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
329KB

MD5
66f05735f8ea74a3a7e068d04a69aa4c

SHA1
909ce878914b0781c7d049938634f68db1009233

SHA256
fa4abefd93159b8d1ecc3a09f7dbaa818c51d6c3c532307b75893a22fe9dbe9c

SHA512
7e289ca8bb2508eb429c98839eedb1bc669260baa19675cf1da0d537eb5c26d15cf6b88975648533e40b486dbc7f83487b10f699c00856eeb3852374624d5f59

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
669KB

MD5
9720fa3ca41fa92b23a22153ce073a08

SHA1
7f32f1fe7af9f4cb379e7908f27b448aa0038c20

SHA256
f00fe7ba7e18df933d371400302e1e365642b140eebd89814db76a5603dc4515

SHA512
d8d45aa710b643366cf4b2af430b75f35f07c1d3764b4ea1cfb46f5c9f5f2e7c678ff845f4ee53bc2c4a1066a059191b0b559209ddd2bc411a11cbd2f923f4ba

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1005KB

MD5
2405e9f3e9c34d9353ed0f2d373bfdce

SHA1
38e4973ddc59b056eee3a190559a348bf32469b5

SHA256
92beb8b9b7b29679a1db72cafeef480c15cca6cac818ac26f1fe7992ed7493f8

SHA512
15d7ce977f6b34367bb96238c9e142216756915519ff467c3627358e50d400d9c108ffb3c79ed34395e4944b9bb8f7b24e894ced8820c7d3a67d499a9c653afb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
805KB

MD5
c95dcadba5251065aadbf290b1e2b9ff

SHA1
439996b7147717af448b67068535d25eea2f3d71

SHA256
1a4cc9008a32af9c4fba299daeac8c732edfad39571fc108964d01f51b5c6a23

SHA512
f3dd6bda08edd3467088182b805c9b3800fd44ed3d931a09ae779e216bf906ab2f44c02e07ef8751bbb83c5582fa7bba9ca34d5a4ca3b25c894f02439f45923a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
998KB

MD5
75ea81b1225e410e1dce0b31cb0e2c7a

SHA1
05bdad794b539ab29cc801a5a27898d8e25afbaf

SHA256
69902c78c1dc1b98185eb14587d0b5833e9097d52049e4ec8d9263fa5bf53694

SHA512
2a67812cde8938d5b403d30baa3a53be5bb322bcc959cf63e9144eb07702cbbc90370c2640d41bb2ce878fa482cf8f510a963fb3627421f7fbf33792f2df687d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
564KB

MD5
5b19c48c9f1c35d38225414af28fb575

SHA1
c068299ee33395a5ffff9db1825b5c8ad6cd9aed

SHA256
3bd09f56013619441c39fd578a1465a6412826bc199e2b0dfde6193a2dfc313f

SHA512
c2d06ef1c7c3fb675b97583ad839bd37400cea016987105cf472691bc7ca901a52a3806e6c7c26da74f0cc4c571a5a7cc96f683b14b7bd9f4ca8584797a4d2b3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
697KB

MD5
6943dc02e8c15a0dcc8f38fb32c52981

SHA1
f35725c0c9d580838b75a1e5ac6fdc9de78dc54f

SHA256
9e46ecb9267412ae4ec3731c6e2dd7c0e822659a5e2924cde56d712a8f502148

SHA512
dc0e0a47f85a42db82b06f886d2804d882411c49baf1d743358f2e28ecd1ee395bfb21fdc42e0ab6d9fa36e06274f759cab237a1f459825d8aa2cc8e62bb9b6b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
683KB

MD5
b7de735a0f708bec225f5fad05d1bebd

SHA1
5fbffe2cf30667e220f847709a427cffc65ee8d5

SHA256
92bdb546cb33230fdf86dda23c117e0b0dfdc49302ce03acb70ae807aec88742

SHA512
902c7dfde653a169d3f51f4981f413e6a4f263b4dd8d1db8ec0b8b02ccc40939476130bd68528fd8dde2581f09c8cc46690e93916ae3159361c5b4e0b95a9ee9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
827KB

MD5
909c400edcbe0821b186823a29b1da74

SHA1
601f9d5ce06df654b8677415386399a61fc6922e

SHA256
60ca648e76517fb42a4bc4359b1baaaa2d46da0b4b5ad5a65bfa0fd2ca7bb62c

SHA512
92fbfc8206807cc8fbe06cce1c2aa90f068e75fceaf69be0b51a88799e284a5c811965ece73466e37c6c088bd0e9ab194d0bc92ea6abd63b0ee8b2af8d846f7e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

Filesize
887KB

MD5
68709df5408f56415e999e3de21b4b90

SHA1
4a5be7c9ea227912a327fcddf7d06d94b98db148

SHA256
8ed18a9c835c8f42f8f895203f224a24db313d1446b4d2bc5151c600019f5308

SHA512
1c6cbaef4723955ffd9ab2e9865c3c1a2acffd8221fb45dc210d2d5d91cadb04c375e638c7ab43cf289741499e18dcb932bc87061d0569bc65ebc4e9b2f1ac29

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe

Filesize
715KB

MD5
a1ee43b9cdeeeee40d3bfc9a49e26a32

SHA1
fc5bdd6b873e578f2713008ae8a827df37aeac66

SHA256
2fab42fe8637a5d549c00091d30ec52890ac6ab9dfe68ef40e4ff88e2a17042b

SHA512
4f84773f16ab4d87d1796ddbf0a7c370e6e3cfd2477781c342a43ed36876f22ac60db30b6d94fd1d20115cfdc3fb38788b351c1e0504949621113b7426065769

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java.exe

Filesize
606KB

MD5
c66d21aedfcc38d858c109c55714b6f3

SHA1
d7fa13f27fb1950e32bad71ea2557ef02d6ed0fe

SHA256
ca49e95c039024b71f5f67daca6c9d88b794ea13f921ec39b457118ce7c25a63

SHA512
1c8ff3bf7f3b6728278c167fde0d403ac5754a50eecac9f22f0bb680e7b8c738be813115759e53951d5d0892daeb4be083cb5f0a7bae2600c409fef87acf8bce

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe

Filesize
881KB

MD5
4bc52eb8dcbfe041e3dcd8422942400a

SHA1
27c5b0634543cb172f233eb99bccdb78bc0b4629

SHA256
4c370d8e4ad3113e640fbe93948027615f2a572f609b9d983b2012b9a69692e7

SHA512
194aded46b9cad630901a72609da37233c808450e59dd830af3e9e363c42f38b5ae148bd1c4bac1a4297cbecc35bef766e565ed4962e3f44270b66cdd7affb23

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe

Filesize
581KB

MD5
cd3b0403ff81d88542319bd89a5d6beb

SHA1
70e9376ae07b78e94c849fd4eebefbc2765f66ca

SHA256
7acf417103a37fcd6858df5a532ec302e86cc1e8ebf58594d6d24fef1b3712f9

SHA512
7e9a69b381a5ddfa1e7ddd99b49e877b5a63c8d8fa254b21e758dcb1c8b5b9b0b90a2eb6adb8164a59354d0f73fe1293549f87932ec5b4c5f03cae078ede45b4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe

Filesize
721KB

MD5
1a181dc35c65a983195499ef19f37f58

SHA1
769ac5aab866ce09d35b5730aaf53b0396e81d8b

SHA256
c1653b2eacc118b6cd8cf91ec078f84a005ae8e942dbeb73248d986115ebbb3e

SHA512
21e6ea296dda15c4eb45c0432667f6ddf7896de79e244f5eff1472622807c96d0cc00b4ac503b8c296615a9fbc0a85a0e748ccf1bfcb5b484b4bba136a78250b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
972KB

MD5
23b22d6c5b9e61a26d6f23356731695d

SHA1
c63c903db5d226b145ff5312f8db40e89e7efa23

SHA256
0306b1b13257adf862c4c88296c3f01514aedcacffe09300071ed8e5808fc1ca

SHA512
8d3dac59e042188fa6c4e720e417463aabfa767ba50a0f831d388e7ca06e0c6c13e8206d9ea827026bc885793c053332cbf2a7cddfbe03e205f1453dca9eb6d5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
636KB

MD5
dce223531c6c0c90def42ad51809da1e

SHA1
bc71692d6f48ee9c6809d4886ccf657a207b9829

SHA256
cab90921855dd1970ad022c2cfe4df60c77c80c452e2399fcbb4bfc43ff666ea

SHA512
7126067763bf7c613eab42c8365a6daea7f8846204d9f2985b462c3ad5cff280e47e46514738a4e2a2e6fa9cd6f7adc5934fcb1e189004636caffca8b5e806d4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
181KB

MD5
3524ee1ef7a6a6a688ae96fc6f60aa35

SHA1
da09df12d728de76d4829aceec1152aacf300d72

SHA256
8fd1f8bfc240cd54aa917a9f828bf9063eaad49a406bf75b9c175b6fd9f7c9bc

SHA512
856d66b90ecedf1f8a92dd634b93d562f8207636b332d5cd653d732f1d9655a0a1659e7aac9866be5e8729f01dfdcf95721111acfb85b56ef633e7ded0f1ade5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
77KB

MD5
ca5a6de58654ad35a9204fae6c7c3c60

SHA1
060fe0139013d2bc813b7a849d7bc3fcfdfc9ee5

SHA256
531c8b40ec850b57e2e5079277833350bd907ff3d0da3f5da4fc6a647a02943e

SHA512
c6f20eb3ba096452ff4d89c388af73b6521cf758adfbe487935ede83ad7c2be75b977c4fc28fd4912062291b2cadd0ba138f2643f44481a8599698147c79f02a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
804KB

MD5
56c3c719b1184cb96c9562203b7a2de9

SHA1
a62edce7c0b93ab7fa8d4a991dc6c4db5bb91b45

SHA256
c4a0c3eb7ad3a18dc7d228a0973c7606fb66015d7299cadede0e98187718609c

SHA512
321b4bd53236f86a28958f07beea8722fe63c135a85cf7162746341dfcf742e74dba348ddcc9aaf9806ff274084b8c983fd6f4f939fa37db7147cdedb1f2bd01

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
703KB

MD5
71d29cde2a1b64f5563d9789c434a50c

SHA1
7eaec759de0eaf7cffa70e42fc0b6a9dcee91610

SHA256
d75b683493023c3776f32f3ca08287f13f6de84a3f074120828625160cb4ae87

SHA512
6ae51accd286fe109d018da4b3893f91ae5729d123cadfcd59eab68e024ca2de1d979983ecb87c3fa19fc73b49c2756cb9b2156b46f89c0aebda9045dc8433d0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
245KB

MD5
8d51637432d12ff25fd1b32be72d3bc0

SHA1
e7a9c6789412660b740af7b8149611a68e68179f

SHA256
708a7a00f1cfe567fa1dc79f9d234563c59f423647a97ad62273d501d0ad26de

SHA512
ba0abc491cba345bf8eefcc38dc33769d32f33fb6f13e5ccca72cab2f3e31545899301729100ae6ca1120b001526cfce3b376b806f7b396c93314edd359d60fe

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
621KB

MD5
20a2c494cfd2b6adc766bbde14f43a17

SHA1
eb386ac600b3e063bd3ab7879a81fc7fa8c75d4f

SHA256
ea37206bebeb67ac0472731ec07ae1420e551d683220a2437b623404cf12eb28

SHA512
6b9a01ab1da417da1aab8c98d3000fed75e615b08da3c45357da5f3298d2349d921d902ae301b11039fb8f6935d2155feef5ebf171e4ceee2c75137b7ab43d6a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
2f4f389a0bdb78d63e63f585da97cb2e

SHA1
5f6aa1b5299555330659992fd12d1cec97cfd512

SHA256
4e2b35c867111cd4d34dfdf4f53e0585aefdf9bf9afee8dfca5565b728059a37

SHA512
2ea16f12f213c2384ac51d7edabb33a77ae985a58710f23c24dcbf77c3a5947c30994474e85c5ecbc3f24c529dd8cdcc5163e6ff173efa30305781452d91e543

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
147KB

MD5
54e88c9b29fdf7499ddbc9bbe1ee1316

SHA1
009ef151b39bde39a6b2fbfc59bd1785607f1c0b

SHA256
883576f0c58bca17bb285674f0e5c5092f261185980a4f529f36ff6211f860cf

SHA512
1a4258ca8f2b2e3f005ced2d0d3019cb33adab8e68c12d755acf2e73d1996f034728e0706141db0244f2eda04739d3fe926a2afd5f534e377276b569cccd587d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
433KB

MD5
2b38b6400c3f503952cf1ecb3280ce34

SHA1
95f6be49f226b9fba14698cec7f4a43b7e0afb68

SHA256
9568e9ae798d06f98b763d492bc2c0fe83933904793fc363757f53477d8a3b9c

SHA512
990bf6f521de1554ada82efe761a573f1973923a2aa937e0cceca1c38324eb51562abf268534b8d9e9df18f79d85e9afc482c74b691d290f003b4ac9d292dba4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
121KB

MD5
65ea7f256a581963b50f90a4b0beb25f

SHA1
6ad1eeaed65738a6c835aae955412bbaa05c8daf

SHA256
7222125b3ef34408b0dd8a93d2a17ae914040f222ae0244abe3b4beb7608001c

SHA512
d546dc1a900f6deaae11946b26c5c2e2ba26fa5b5fb770ca80a4aebae1c04ad34640403913f52888fede9c1cf243822f0a594f6cd4aea394c90ff12fa445179d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
582KB

MD5
cb0e237bcb4e266abbdbac611cde18f3

SHA1
28f8b3fce2dc7aff4c572344ce30e0aee3dc3056

SHA256
03dfc96a45b586d9cc608cc719bbdeda80f450d7fa30d0bb18cdacbc0fa6b351

SHA512
a1df43c724346f37a4f27a9f87d56399284a7dc90b782124f0c888f88724b325eaec1c59e19852e59b17db9f2d1b281c083578edc3ad437475dad41e5b32e825

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
136KB

MD5
d034874511cd746a3c60c38ee7ac6073

SHA1
e4e8616106ed629014a53d7119995cb6ac5e8afc

SHA256
24ecbc5acd58c12557ea1af399391ec6628616773d4d2404303ed30bb67d1b7f

SHA512
03e217ad933025e1d6d11592f60809c665731de3c74e75c6ce3c2fa1581fec400239a8b098eaf2427321e15fb37741fbe39b0894354421a3b7c931d2482f49e3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
9KB

MD5
a198770f8a62c247ca14e7f69c00192f

SHA1
c1b5f5e820cb993688fff3c1dddb048255355775

SHA256
af5d1207400de803bd0896165392ccc4b64eaf1cedb335ae57528087848f247b

SHA512
d41d9e5db333b580d1b1c9957d70d6d2aac0b484b4ecd5ce5391ab8a809cedfee62326fb64700b9a4e5370534cc8862d9625d2fe3b5d5ebf19174744f21c250c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
592KB

MD5
2c7a2b23cb0bebf9d0afa7c69e96a3b0

SHA1
e1c9852cb0cb90c92203f4d54335c8e02cd5f34a

SHA256
fcb69c3d7a358af5442ecfdea10013f406dc803ab68771a3fb8f1a404a2b1032

SHA512
bd7bd8520b3457d031556a4bdda898c0c67a154411730f2cebaaeffc201f078cbe6ef1bdd987f0fafc8dc3836d65faeab0098c0548b4d954999caf72511a4dff

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
248KB

MD5
cd9e5bd1a62bd503a0a6decb4bd4f139

SHA1
7d5188e957c14d7cb6f6d9fb7ee9b0a506c0fc0a

SHA256
1af9500d96e69645718782fe7bfba3f7e7c62b6ee6340f77fe28e7a7b2c6fa5e

SHA512
f80f5a2062fc6eeef31cd2dfd17b02f08e5d9b1a84bc83e91a141f92478ba594bff507436202b58242a59558801d0eb3e6cb5feb2b77b500df9751f6b179e359

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
4cfe9071622fdcc47b3c98505a8743e3

SHA1
20df1e6140d60a71b75ff14dffc6129733f1a4a9

SHA256
1077db50aeb0adc15eb94be9d3fd517873e2767e471f3cc2f96b9f68c4bb67a0

SHA512
a726972878afa37cf119cb4b3d3daa31ecf47fd39632df3972e5e24cf587b4a7128cc37286b46ba2dcfea04349482d462b8df8d0713761e4ac66ff708ecfe9cc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
282KB

MD5
a02817dc11fc6837ab68b90aa8f24a1f

SHA1
4b70c925690d295b1469086fd8280cb42522f4da

SHA256
525850c70dff2af2cd873e22e80f195720a59d1b2b069156a11dfe28c71cd23c

SHA512
a08d3505fa677fc996df819a23e34f5dd3791c1356b554d7076062775352f46a05ab9859b1dbb11764bbec3fb35e048cc527437ba0e997491ac029eb8121b359

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
182KB

MD5
a54c3db9459a5fd800a8dc5499d42638

SHA1
2d8bf64be7ec5760172a83dc1523c98aa1c7f08a

SHA256
5b9e34c0452f7e1d1bf6ef7a2d23c68a9261b9d1255017c496eb1820bfad03e9

SHA512
c3a5ee52f2700991539a7b2143b6b08c9a8fe1f8fff91c4a90d560a7b1f996924018a4dcd55049ef163af33e9d7d6733421d5f2ed72108b882fc9f0ad8a47ebd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
114KB

MD5
2284ffd5fdf1a3f8405b8b31035349cc

SHA1
41149f80abf4e7d6a09de323d68185c7b0c19f05

SHA256
b7a3316b01fdea91193783d5c5e9a835d9ac3e7ed4d8304691f0b71c8b11662d

SHA512
028ade69fc48ed06f09ac45e18e3bc0cdea050f087861bcd87e5cc4b621f8fad11938f7f4c3fe4bd70e227de5b1af17d930e7e89951c2d0fb464de0320f8126a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
367KB

MD5
513471088c911cb3e9247bc0ef7cf251

SHA1
97c7e89bc18293b79ca3b21beb82c5106f2b4d67

SHA256
4b7fee630b54f8bcbefbc5011dc8423be9b263ca011454b76e45c93af2c09215

SHA512
39da6b8ad61188a421d7c63d8a473d351c0cc697f1b4d9b193969c2758f3a35a05f113ae00dd1530cc6d740ce434cc39e531126ba498e47606e94721f16e50a1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
116KB

MD5
9c8d6da71c44a9fc6ac2cd09d52e76c1

SHA1
56fde4545d16f6702702b6d5679efd662e05fff2

SHA256
63d0738649921650e4c878b86062c59b2337695b23c86d24d85d38a10769d68b

SHA512
d97416f2957eaf3afd52084da71141bb3373b57b8389921834dfbb9a25a24bef720a9503a560c301c0f907e09dbdd6baea0ed0479e7350a4758fb76debfd488c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
255KB

MD5
0a581f73433d29e89c0f88c381080142

SHA1
cb1819ec53fde702179fbcb8d14656846744fb94

SHA256
d4d162cf1546bbde38b2a694da5dac26fe672b548c391b8af0b14a4d3d5ca5b1

SHA512
e43aafe730e3583a3b3c60d28847cb134f8854554e4e421e56c634c70f65ed0401f35a9c9a3e6b4eea6b836c7e67097d1d1ad49aa0480dab9de9176aa7d31bd3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
123KB

MD5
887ae19dd8420186375f1159936d6f3d

SHA1
bf4acda31444ecb101798ed82ce6f05dc61b9304

SHA256
565b461e714d493c4006fc5fbc91b65e6e8a23f7efe1d4a1f858845efb8d33cc

SHA512
3243cb519092ddad62b4ec395e1a38418d78aad3dbb5699622ca0f0e937fed86677e517ca4fb0af175cdb36d58408fbb15e13fab6cd4e606f8155c080a3fec05

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
89KB

MD5
dd32e990f33a5bfcdb3eaf59b21fa155

SHA1
24e7dcdfa999395af7c4aa7749d0ddf36c9b3b73

SHA256
c0e026bae48e1946bd175276c45f0d27010d596ee80faed6f85528b0e53ec0b6

SHA512
da9c2372a4f2604a4487dc799496ff515fed0ac27e98084afcbeecb81d08cb068a6d36d634b146c57852a1b6aebea6529cda348e30764c0bb47a1102bdf87338

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
12KB

MD5
0c9ba052179918c61c94130260330504

SHA1
6afd857fec138eddaad1753c336ce9a772d8b052

SHA256
49fe6dd0dd2f3e447f4eccecfa7237dc509887b1b551ed244e74f4b140936bff

SHA512
9136e9e06cb2c8a998dca0e8a1b14c2dc294db48cd52c688742f366d524fde7720587d97cee0c64e4dc79a1edfb27cbcc9dffe2229a989434b414e909c55e081

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
237KB

MD5
884ae6459b917e30df0d2eb63cc03c35

SHA1
f2b512f3cfeec3eb1d25605c1d0d341fd33c654f

SHA256
5538f4c3f5b25221ccb244c3b5f0a6d9232074ea9edb34ad2e96d85e91f80339

SHA512
8eace1d3b77209b9d8278c93eed43537e17e48d54341fea416b2d4a6fd2bdcb682b7b3ec2946e929bff0596dc7b2685138d61d679dd23a07c8f24eb04a4b839a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
1d7ca11f138d02d41ae32b2ccbcbab4d

SHA1
cd17bc89ab5560c5fc7d8192271d46663ae64677

SHA256
250b24f27a4d8628fb340b85bb31df4815c82a7f08a6f380c11518116b5144e8

SHA512
9f66c856dfa5df55154b874e9df05db30cd1abbc1f6c60736393930a9cb5f73435eb31bca7d72020b5f7b69f08a9c013f5163f19e45f081643caf19b4963132c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\19e25da52dad67de5a5ef024d3577fcd\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
f321a89b68b6efaea83464956fbb8638

SHA1
44f852a1fedbb8574da9700dea70d1b8a24adbb9

SHA256
83fe98a815798334bf0ab9f28203ffe68af15fb7edd4f82314e317e320494a0b

SHA512
791e4ed12ec701a817fbc5ee017494c5e9b7bdd39e2bee84febe47ce62ed3d4391acc34f4dad1b2abde86247dc151763328362adfeff9ad2f17a7fa62f0a035c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\58b2bcc39377a1f010442807d1e6c4e0\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
24c39857923ffec7c5405873d10ec899

SHA1
18f964a336d7d765b95c02634b3013dfecd7a02d

SHA256
4ac3bc2a3a48377c0ceab0f86257031ac1f89c6e13b33abef8e9b66a5ffd4a1a

SHA512
f7107f9ca256fe27fc2398176f98e45ab9a6a4f693bc6155635183b095de027da4c916c7a6bd2274c030a411f594499d5f70484b17634be533d13e67c77465aa

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\861c966292a5f329bb8ad3c08a365c0b\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
be93cf17ee8810b9e3dab5b8ec294903

SHA1
062da73712a300fd4ac638c1676116803b6d5330

SHA256
c315e2f91287eac78971f826c91378186fadb013085594f6be963e0f47bf251e

SHA512
413858da2add7037424f6d41d497744a91ceb47462252f18a49d0ce0d22fd751e325a8890dcb41c32b383b9e09b9022bbcbb5d5dae4e7e39c6198efd8a705efa

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bf71f68ad70b24934e4b3e4bd341a5a3\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
13c7764b92902b280c21c2f2c42ad998

SHA1
c60414ec500b02b46965be1befa2d72bc96bcd5d

SHA256
715844f61bcb117afcf87e49571289001de6fa2dba97945f15aa7fdf7d7d69a4

SHA512
926a7195e42047ede5f6aa4f91841a14919a80d11d3d803b6df8fad3a9026f30983c3e3e434589d6c7dfaa441a719fdf368783d313dbc9459a36e22de9ee2ca7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
1b5b861466d58299657775f8c7cca43b

SHA1
2030e0a34f905e39006852fbda6a076d2f2b2e3c

SHA256
7227be0340b4999f259eceab9f1365837e2c417eeb815d6cfaa35970bb6d109d

SHA512
38d511f188624c7e5bd7f9a167ad234d78e7abad7f814805c871ec19a71df3f4051637c9e9ac639a91e40ce54b4be208ca497394595062f14f505b03686f80b8

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c629d8cf07f1123cf5f133b6549e06b2

SHA1
0889673bee2ffc504d297c5bde22bbfde3926738

SHA256
47ae72b917a8238ac4bb27723c3a89d5f5bcfcf5172f1a6a3e953b793f3e4b81

SHA512
d537cf8d3617f49d68e499b554ceb28628a1f615e061b45d037502d30c3afc439d670b0aa67ec8feb50ca4d8cb39698752047178e02ec6053cca900fa4424c02

Download Submit
memory/300-422-0x0000000000750000-0x00000000007B7000-memory.dmp

Filesize
412KB

Download
memory/736-106-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/736-109-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/736-102-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/736-300-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/768-410-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/768-407-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/1360-394-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/1360-404-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/1360-392-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/1360-402-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1516-0-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/1516-6-0x0000000000690000-0x00000000006F7000-memory.dmp

Filesize
412KB

Download
memory/1516-7-0x0000000000690000-0x00000000006F7000-memory.dmp

Filesize
412KB

Download
memory/1516-1-0x0000000000690000-0x00000000006F7000-memory.dmp

Filesize
412KB

Download
memory/1516-16-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/1516-11-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1760-100-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1760-86-0x0000000001000000-0x0000000001060000-memory.dmp

Filesize
384KB

Download
memory/1760-97-0x0000000001000000-0x0000000001060000-memory.dmp

Filesize
384KB

Download
memory/1760-93-0x0000000001000000-0x0000000001060000-memory.dmp

Filesize
384KB

Download
memory/1760-89-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1940-421-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1940-382-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/1940-379-0x0000000000850000-0x00000000008B7000-memory.dmp

Filesize
412KB

Download
memory/2028-368-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/2028-380-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2028-364-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2028-381-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/2256-303-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/2256-294-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2256-308-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/2256-321-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/2256-319-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2504-272-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2504-280-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/2504-289-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-296-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2504-306-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/2548-80-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2548-240-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2548-75-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/2548-81-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/2624-48-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2624-49-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2624-55-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2624-56-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2624-113-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2760-131-0x0000000074828000-0x000000007483D000-memory.dmp

Filesize
84KB

Download
memory/2760-322-0x0000000074828000-0x000000007483D000-memory.dmp

Filesize
84KB

Download
memory/2760-311-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2760-118-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2760-124-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2760-123-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/2816-318-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/2816-335-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/2816-337-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2816-323-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/2820-18-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2820-17-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2820-24-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2820-25-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2820-82-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2896-31-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2896-94-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2936-40-0x0000000000B80000-0x0000000000BE7000-memory.dmp

Filesize
412KB

Download
memory/2936-35-0x0000000000B80000-0x0000000000BE7000-memory.dmp

Filesize
412KB

Download
memory/2936-103-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2936-34-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2944-64-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2944-65-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2944-129-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2944-71-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2948-354-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/2948-349-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/2948-365-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/2948-367-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2956-353-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2956-352-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/2956-338-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/2956-334-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download